On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Mon, 11 Aug 2014, Michael Lasevich wrote: > >> So, it is NOT intended to use for border-style 2FA authentication (i.e. >> VPN) - which seems may be a common use case for 2FA? >> > You can always supplement authentication check with some host-specific > information at the VPN concentrator. We don't have ready to use solution > here but it is definitely possible to use such scheme against FreeIPA > 2FA. > > Sorry, I am not following. What do you mean by "host-specific information"? If system has no way to detect how many factors were involved in authentication, how would I be able to guarantee that only 2FA is allowed via this box? I suppose this can work: I can write code that will: 1 - detects if there are OTP numbers at the end of the password 2 - authenticates using full 2FA 3 - authenticates using just password without 2FA And then authenticate only if all 3 conditions are satisfied. Seems a bit hacky, but that is the only way I can think that may work. Alternative is to set up 2 users for each actual user, one for border and one for internal auth. Force 2fa on border user. Only allow border users on border boxes. Am I missing anything? -M > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project